Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

MAC Address-Based Policies

Hi,

I would use mac-based device in ipv4 policy, I have created such device as mac-based and this device is visible in "Addresses". But when creating ipv4 policy for destination on "Devices" tab I cannot see this mac-based device.

No any mac-address devices (with his own mac-address icons) are displayed in "Devices" tab.

What I'm doing wrong? Fortios 6.4

4 REPLIES 4
seshuganesh
Staff
Staff

Hi Team,

 

 

From my understanding, you have configured mac based address as shown in the below screenshot:

seshuganesh_0-1651145117582.png

 

If so, in firewall policy under address field can you check it? as shown in below screenshot:

seshuganesh_1-1651145169690.png

 

Please check and keep us posted

Meseguer24

Hi seshuganesh,

 

The same is happening to me but the difference with your picture is that we cannot find the MAC based Address in the destination field.

 

The idea is to create a policy that only allows communication between 2 specific devices using their corresponding MACs.

 

When setting the source, it is fine, I can find the MAC1 I want to allow cross to the other subnet, however, when setting the destination address, I am not able to find in the list the MAC2 I want to make reachable from MAC1.

 

Both appears in the general Address list, however, I have tried many ways to find it in the destination field without success.

 

My temporary workaround has been setting the IP address of the Device2 on the destination, however I don't like too much this solution as someone could set it manually and so make itself reacheable from Device1.

 

I used to do it before in other FWs, but this time I don't know what I am missing.

 

Any clue about this?

 

Thank you in advance.

 

--CV

 

 

kcheng

Hi @Meseguer24 

 

You may want to check the deployment of your firewall. In NAT mode, MAC address object is only supported to be set as source address. If the FortiGate/VDOM is configured in transparent mode or virtual interface pair mode, MAC address object can be set as source/destination. You may refer to the following document respectively:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-MAC-Addressed-Based-Policies...

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
tstroebele
New Contributor

It would be great to be able to see the vendor-id in the GUI and also use it for destination, it such a nice feature to use vendor-id and/or mac address objects, but it would be even better to not have the requirement of a virtual interface pair mode or transparent mode to use it for a destination. 

Labels
Top Kudoed Authors